Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Firefox Government Open Source Security Privacy United States News Technology

FBI May Be Hoarding a Firefox Zero-Day (softpedia.com) 99

An anonymous reader writes: Vice reported at the end of March that the FBI and the U.S. Department of Justice are fighting tooth and nail to keep a Tor Browser exploit hidden from the public eye. Computer experts were quick to point out that this Tor Browser exploit, technically speaking, is a Firefox exploit, since Tor's browser is based on Firefox's ESR platform. Taking into account that Firefox follows open-source philosophy and reveals all security flaws reported, the effort which the FBI puts into restricting access to its exploit leads to only one conclusion, and that is that the FBI is hoarding a Firefox zero-day, currently unpatched in the browser's core -- something it hopes to use once again.
This discussion has been archived. No new comments can be posted.

FBI May Be Hoarding a Firefox Zero-Day

Comments Filter:
  • by turkeydance ( 1266624 ) on Friday April 15, 2016 @07:33PM (#51919183)
    hoarders don't just have ONE.
    • hoarders don't just have ONE.

      came here to post basically this sentiment, you beat me to it; I was gonna say I'd wager they have at least two.

      • by Anonymous Coward

        I came to post that there are countless unpatched negative-day holes... and upon seeing that someone else already had, I was going to post that I was going to post that, but upon seeing that you have posted that you were going to post that, I have instead posted this.

      • by rtb61 ( 674572 ) on Friday April 15, 2016 @11:24PM (#51919911) Homepage

        I would wager the stupid burns because they would need to believe that they are the only group hoarding those zero day faults or that their knowledge has not leaked or sold. That is the real problem with hoarding zero day flaws, the kind of stupid ego that pre-posits they are the only people who are smart enough to find it and all the other espionage groups are just script kiddies. In reality hoarders will find that those they are meant to be protecting end up being attacked by others and as they watch it unfold, they just sit them, thumb in bum, mind in neutral as they desperately try to pretend they had nothing to do with that attack or those victims.

        This has been covered before, can never use a zero day flaw because once it is detected it is gone (so major effort little to no reward), hoard a zero day flaw only to see someone else use it whilst you are still hoarding it (those victims, your fault and you are now an accessory before the fact and guilty of criminal negligence), hoard a zero day only to find others had already found it and are working on a fix and that fix is implemented before you can claim credit and earn kudos for you efforts (major effort expended and no respect gained for your agency or the support from the public that the gained respect would earn) and of course get busted hoarding an exploit and expect resounding condemnation from every one and a desire to by the public to expose the dick heads involved and a desire to see them prosecuted for criminal negligence because they have a duty of care and a duty of law to protect the public from harm.

      • by phantomfive ( 622387 ) on Friday April 15, 2016 @11:31PM (#51919927) Journal
        Given that it's Firefox, they probably have as many zero-days as they want. Firefox doesn't seem to take security seriously, for whatever reason.
        • It's not just firefox - browsers in general have a poor history of security, because they have grown over the years from simple page-rendering engines to instruments of almost unmanageable complexity. The more complex the program, the more flaws it will contain. This is why Lynx so rarely has security issues - because it doesn't actually do very much.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      NSA just buys them all the time on the black market. [theatlantic.com]
      FBI could do the same, it wouldn't even be that expensive.

      Protip: All malware writers are hoarding exploits -- and even selling them on the blackhat market.

    • by tlhIngan ( 30335 ) <slashdot.worf@net> on Saturday April 16, 2016 @02:16AM (#51920347)

      Why bother?

      Consider Pwn2Own removed Firefox from a contenders list for being "too easy" [slashdot.org] I hope the FBI didn't pay more than a few bucks for the one. I'm sure if they paid a few more bucks they could've had 10, 100, 1000 or more.

      Heck, there's tons of bugs that are reported and haven't been fixed at all...

      • by Anonymous Coward

        That headline is a half-truth. It doesn't mean that Firefox has a lot of holes.

        As explained in the comments, they chose to remove it because Mozilla had not recently implemented new features intended to bolster security, while the other browsers had done so in the same timeframe.

  • It feels like we're coming to a head here with regards to the government and technology. At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data. If we (the tech community) don't come up with a solution, at some point an inferior one might be forced on us. Imagine a significant (nuclear) terrorist threat that could be averted if the government could access X or Y
    • ---edit for formatting--- *why doesn't slashdot have a WYSIWYG editor yet? grumble, grumble*

      It feels like we're coming to a head here with regards to the government and technology.

      At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data.

      If we (the tech community) don't come up with a solution, at some point an inferior one might be forced on us. Imagine a
      • by Anonymous Coward

        With the known government lack of security how can it be? Online banking would have to vanish overnight.

      • by JustAnotherOldGuy ( 4145623 ) on Friday April 15, 2016 @08:10PM (#51919355) Journal

        ---edit for formatting--- *why doesn't slashdot have a WYSIWYG editor yet? grumble, grumble*

        Oh you dreamer...we can't even edit our own posts, a WYSIWYG editor is so far beyond that capability that you may as well wish for your own Martian Moonbase stocked with 19-year old nymphomaniacs with a Beer Generator powered by perpetual motion.

        • A WYSIWYG editor is potentially desirable, and could be got from someone else. Post-editing is not desirable, except by people who can't let their mistakes go because their asshole is so tight that it can make diamonds. Learn to use preview, no problem.

          • A WYSIWYG editor is potentially desirable, and could be got from someone else. Post-editing is not desirable, except by people who can't let their mistakes go because their asshole is so tight that it can make diamonds. Learn to use preview, no problem.

            That's just like, your opinion, man. Try this on for size:

            "A WYSIWYG editor is only desirable by weenies who want to use emoticons and who are at their core, attention whores. Post-editing is desirable, except by people who NEVER make mistakes and who think their shit don't stink. Someday you'll grow up and be able to understand other people's viewpoints, and then it will be no problem."

            See how easy it is to dismiss what other people want, while retaining your own gun-slit view of the world?

            Virtually every

            • Virtually every message board and forum in existence allows post editing, often within a short grace period to prevent abuse.

              Yes, and that is often stupid. It's good for forums where people are providing information. It's bad for forums where people are arguing. Slashdot is all about arguing, and therefore it would be bad here.

              If you're that anal about being made to look like a fool by someone fixing a typo or changing the content of their post, perhaps you're a little too tightly-wound for healthy participation in a discussion forum.

              This isn't about my asshole, this is about your lack of competence.

              • Slashdot is all about arguing, and therefore it would be bad here.

                It's a shame that you view slashdot this way (just another way for you to vent your spleen), but I think that says a lot more about you than it does about slashdot.

                -

                This isn't about my asshole, this is about your lack of competence.

                No, it's about you being an asshole, and your inability to understand that different people want different things. Your opinion isn't the gold standard, and with any luck you'll learn about that in High School.

                • No, it's about you being an asshole, and your inability to understand that different people want different things. Your opinion isn't the gold standard,

                  Ah, irony. You're being precisely the kind of asshole you're accusing me of being. This has been argued out over and over again here on Slashdot, and I'm doing you the courtesy of revisiting those dumber times to explain to you why you're wrong. It's not just my idea. It is, in fact, the will of the people.

                  • It's not just my idea. It is, in fact, the will of the people.

                    Actually, quite a few people* have expressed a desire for post editing, but as long as you're speaking for the will of the people I guess we'll all just fall in line, Herr Drinkypoo.

                    -

                    *Indeed, Whipslash had mentioned at one point that "it was coming", so maybe your the will of the people isn't all it's cracked up to be.

      • by Anonymous Coward

        We're reaching a point (especially with the new anti-encryption bill that's been reduced) that I'm more worried of a significant (nuclear) terrorist threat that IS POSSIBLE because the government could access X or Y. Government backdoors won't stay government only for long. Because if we cave to allow the US government a backdoor, Japan might request a backdoor in too. And England. And Germany. And countless others. At that point everything that ever was encrypted just becomes swiss cheese.

      • with a warrant, is this so unreasonable?

        Yes...

    • by BitterOak ( 537666 ) on Friday April 15, 2016 @07:44PM (#51919253)

      It feels like we're coming to a head here with regards to the government and technology. At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data.

      This statement seems to be based on a common misinterpretation of what a warrant is. Search warrants allow the police to search for things, but they do not necessarily guarantee that they will find what they're looking for, and most importantly, the existence of warrants does NOT incur an obligation on the public to live their day-to-day lives in such a way that future searches (with warrants) will be successful. Requiring computer users to use weakened or backdoored software for the simple reason that a warrant might be issued at some future time turns the Fourth Amendment to the Constitution entirely on its head

    • by Zuriel ( 1760072 )

      A new way of encrypting things that has a third key? Sure, but why not wish for world peace and a Star Trek style warp drive while you're at it?

      Things that don't currently exist aren't a reasonable solution, either. No matter how often Congress demands them.

    • by Kjella ( 173770 )

      I know the anti-government types will shy away from this, but, with a warrant, is this so unreasonable?

      It's a bit like asking if you want digital cameras that won't produce kiddie porn. While you might score brownie points with the technically clueless, no engineer will think that's a sane idea.

      a) Stealing the decryption key is a huge goldmine
      b) There's more than one government with conflicting interests
      c) There's open source and you can encrypt more than once
      d) Nobody will know if you've tampered with it until they try

      All of these means you're asking for magic. Say you want Apple to hold the device keys for

    • by spire3661 ( 1038968 ) on Friday April 15, 2016 @08:49PM (#51919479) Journal
      NO, there is no compromise. I am within my rights to make an unbreakable lock. The government has to learn to accept that. Warrants can be abused like any other power, the idea that everyone has to roll over at the sight of any warrant is flat out wrong. I get what you are saying, due process, i get it, but there are limits to what the government can ask. we are now at the stopping point.
    • by guruevi ( 827432 )

      Yes, it is unreasonable. First of all it's unconstitutional, second of all you can not 'solve' the problem without also giving access to pretty much every other entity in the world.

    • by dissy ( 172727 )

      At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data.

      and

      I know the anti-government types will shy away from this, but, with a warrant, is this so unreasonable?

      Well, let's examine some history here and see if it is unreasonable or not.

      Of all the terrorist attacks on US soil, encryption was only involved in one, and once decrypted had no data within at all.

      Of all terrorist attacks on US soil, the FBI already knew about the planned attacks weeks to many months in advance. They knew who would be performing the attack, where they would be attacking, and when the attack would take place.

      Yet even with knowing most of the details of the attacks ahead of time, they st

    • At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data

      The solution is here: Apple can no longer decrypt random iphones. That's it. There are bills that have been written to change that, but none are expected to even show up on the floor of the house of congress or the senate.

      • none are expected to even show up on the floor of the house of congress or the senate.

        Certainly not before the election.

    • All of you arguing with SultanCemil are pretty much idiots who don't understand what he is trying to say and definitely don't understand American culture. What he is trying to say is that like it or not the government IS going to do something about not being able to decrypt phones used in criminal acts. All it takes is one major event whether it's a mass shooting or a terrorist attack that "might have been prevented if we only were able to get into so and so's phone" and the population at large will support
      • So surrender because we might be defeated? I don't think so. We can win this issue because Google + Apple + Microsoft + many others will join the EFF and all our traditional allies in lobbying against any backdoor proposal. Who will lobby on the other side? Law enforcement? Our allies have both deeper pockets and by far the better policy argument.

    • Government should protect its citizens. It would be ideal if the people we appoint and pay to solutions us, worked hard to find the best encryption to protect secure our digital assets. Instead, the officials work to weaken us so they can claim more reason to protect us. Every citizens should be armed with strong computing environments possible to protect us from digital attacks from those who want to do us harm (everyone else).

      I hope nothing happens to our country. But when a country is invaded, the first

  • Nor is it proven that the problem is within Firefox...it could as well be in the Tor modifications to Firefox...if, indeed, there is such a problem at all.

    Wild speculation, whether here at /., or at Motherboard, is absent evidence. If I were an agent of the FBI and I DIDN'T know ANYTHING about some putative "back door" into Tor, I'd claim I did, to scare the #$&*%^ out of people who DO use Tor. They can, apparently, legally do that with impunity as officers for the law.

    Until there's evidence to suppor

    • by Anonymous Coward

      Nor is it proven that the problem is within Firefox...it could as well be in the Tor modifications to Firefox...if, indeed, there is such a problem at all.

      Wild speculation, whether here at /., or at Motherboard, is absent evidence. If I were an agent of the FBI and I DIDN'T know ANYTHING about some putative "back door" into Tor, I'd claim I did, to scare the #$&*%^ out of people who DO use Tor. They can, apparently, legally do that with impunity as officers for the law.

      Until there's evidence to support this idle speculation, it is bunkum.

      According to the linked article, that is exactly what the defense attorney is after: proof. Society can not allow a prosecutor to claim, in court, that a 'magical black box' tells them the defendant is guilty.

    • It doesn't need to be a security hole. It just needs to be some way, any way, to make Firefox connect without using the Tor proxy. All it takes is one obscure call in javascript somewhere that ignores the proxy settings.

  • by Anonymous Coward

    >Since the US DoJ is mounting an all-out assault to keep the Tor Browser exploit out of the public eye, common sense dictates that this is a previously unknown issue, otherwise, why bother.

    Must every story on Slashdot about data security, privacy and the law be linked to articles that are so fucking hysterical in tone, so lacking in facts but so plentiful in speculation, and written so amateurishly (read: like a blog)?

  • by physicsphairy ( 720718 ) on Friday April 15, 2016 @10:23PM (#51919773)

    According to their website [fbi.gov]

    The National Security Branch carries out the FBI’s responsibilities as the lead intelligence and law enforcement agency in the nation to detect, deter, and disrupt national security threats to the United States and its interests. Our goal is to collect, analyze, and share intelligence to develop a comprehensive understanding of—and to defeat—national security threats directed against the United States while preserving civil liberties.

    We continue to refine our intelligence capabilities to position ourselves to stay ahead of the evolving threats our nation faces. Intelligence directs how we understand threats, how we prioritize and investigate these threats, and how we target our resources to address them.

    To ensure success, we continue to integrate our intelligence and law enforcement capabilities in every operational program. The traditional distinction between national security and criminal matters is increasingly blurred as terrorists commit crimes to finance their activities and computer hackers create vulnerabilities that can be exploited. The integration of intelligence and investigations makes the FBI uniquely situated to address these threats and vulnerabilities across programs. The FBI draws on both intelligence and law enforcement tools to determine strategically where and when to disrupt threats.

    Is it just me or does a reasonable reading of this statement imply that a big part of the FBI's mission is to help eliminate vulnerabilities in software used by American citizens and companies? Is there an interpretation in which they are credibly following their own mission statement?

    • Is there an interpretation in which they are credibly following their own mission statement?

      An incredible one?

    • by Anonymous Coward

      The prime driving force in any organization is to continue it's own existence.

      Allowing crime to happen such that there is someone to prosecute is necessary for the continuation of FBI's budget. They have more incentive to not defend than to do what is best for the people they serve.

  • But let me point out the remotest possibility that the IP address tracked down wouldn't necessarily prove a particular person was involved.

    Theoretically the best way for person to hide would be to hide behind and implicate another person. (Seriously watch more Columbo.) You would have to show that a computer wasn't infected in such a way as to secretly relay traffic. One would have to assume the software was designed to erase itself if discovered.

    But I have to make the point. Getting an IP address is only t

  • the tor project should shy away from Firefox (ESR)?

    https://it.slashdot.org/story/... [slashdot.org]

    http://www.eweek.com/security/... [eweek.com]

    • by Anonymous Coward

      As I posted elsewhere, that headline is a half-truth. It doesn't mean that Firefox has a lot of holes.

      They 'disqualified' it because Mozilla had not recently implemented new features intended to bolster security, while the other browsers had done so in the same timeframe.

      Whether those security features actually harden the browser, make it more difficult to exploit, is a different question.

  • And people wonder why I run the HotJava program as my main browser...;-)

  • As an uberhaxor, I had UNSUCCESSFUL malicious attempts made on my self-compiled Linux platform in 2014 that subsequently led to another 2 remote exploit attempts in the days after and then surveillance activities on the ground as I traveled several times between a pot growing agricultural area of Colorado (visiting friends) and a resort area (where I live). My laptop in question may have been later compromised by more advanced techniques. I still write code on it, though

    Malicious code can be injected at

  • If (you - the FBI, NSA, etc...) think it is okay to have access to ALL my (i.e. our) stuff, then WE require access to ALL of your stuff!

The last person that quit or was fired will be held responsible for everything that goes wrong -- until the next person quits or is fired.

Working...